From d0b81a185c260ffceecb9d7470b3ddfbfeda4c11 Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Wed, 11 Jan 2012 11:51:04 +1100 Subject: [PATCH] 367638: 361316: protected multipart filter from DoS --- .../jetty/server/handler/ContextHandler.java | 5 ++++- .../org/eclipse/jetty/servlets/MultiPartFilter.java | 13 ++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java index 3538d75f96d..f827bdd9c68 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java @@ -75,7 +75,10 @@ import org.eclipse.jetty.util.resource.Resource; *

* If the context init parameter "org.eclipse.jetty.server.context.ManagedAttributes" is set to a comma separated list of names, then they are treated as * context attribute names, which if set as attributes are passed to the servers Container so that they may be managed with JMX. - * + *

+ * The maximum size of a form that can be processed by this context is controlled by the system properties org.eclipse.jetty.server.Request.maxFormKeys + * and org.eclipse.jetty.server.Request.maxFormContentSize. These can also be configured with {@link #setMaxFormContentSize(int)} and {@link #setMaxFormKeys(int)} + * * @org.apache.xbean.XBean description="Creates a basic HTTP context" */ public class ContextHandler extends ScopedHandler implements Attributes, Server.Graceful diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/MultiPartFilter.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/MultiPartFilter.java index 049f37072b1..a2dd4492ed1 100644 --- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/MultiPartFilter.java +++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/MultiPartFilter.java @@ -59,6 +59,13 @@ import org.eclipse.jetty.util.TypeUtil; *

* If the init parameter "delete" is set to "true", any files created will be deleted when the * current request returns. + *

+ * The init parameter maxFormKeys sets the maximum number of keys that may be present in a + * form (default set by system property org.eclipse.jetty.server.Request.maxFormKeys or 1000) to protect + * against DOS attacks by bad hash keys. + *

+ * The init parameter deleteFiles controls if uploaded files are automatically deleted after the request + * completes. * */ public class MultiPartFilter implements Filter @@ -69,6 +76,7 @@ public class MultiPartFilter implements Filter private boolean _deleteFiles; private ServletContext _context; private int _fileOutputBuffer = 0; + private int _maxFormKeys = Integer.getInteger("org.eclipse.jetty.server.Request.maxFormKeys",1000).intValue(); /* ------------------------------------------------------------------------------- */ /** @@ -82,6 +90,9 @@ public class MultiPartFilter implements Filter if(fileOutputBuffer!=null) _fileOutputBuffer = Integer.parseInt(fileOutputBuffer); _context=filterConfig.getServletContext(); + String mfks = filterConfig.getInitParameter("maxFormKeys"); + if (mfks!=null) + _maxFormKeys=Integer.parseInt(mfks); } /* ------------------------------------------------------------------------------- */ @@ -134,7 +145,7 @@ public class MultiPartFilter implements Filter String content_transfer_encoding=null; - outer:while(!lastPart) + outer:while(!lastPart && params.size()<_maxFormKeys) { String type_content=null;